It’s been a long road since the U.S. Congress first enacted HIPAA.1 HIPAA and its Privacy and Security Rules provide a federal standard for the protection of an individual’s health information, more commonly known as protected health information (“PHI”). Originally, HIPAA only applied directly to three types of “covered entities”—(1) healthcare providers (who transmitted PHI electronically), (2) health plans, and (3) healthcare clearinghouses. These covered entities then had to police their vendors through a business associate agreement (“BAA”) that extended HIPAA protections to PHI the vendors used or disclosed.
With the passage of the HITECH2 provisions in 2009, those same HIPAA protections that had applied indirectly through a BAA became directly applicable to business associates. In other words, business associates had to adopt privacy and security policies and procedures to demonstrate their own HIPAA compliance, especially with respect to the security of electronic PHI.
To make things a bit more complicated, HIPAA always allowed more restrictive state laws to preempt HIPAA standards. For instance, this means that Texas law,3 if it grants stronger protections to PHI than HIPAA, will apply.
Under the Texas Medical Records Privacy Act (“Privacy Act”), this preemption has two practical results. First, the Texas definition of “covered entity” encompasses anyone who obtains, uses, collects, evaluates, stores, or transmits PHI. Thus, entities considered business associates under HIPAA are covered entities under the Privacy Act and must comply with its standards. Second, the Privacy Act, through new requirements adopted during the 2011 legislative session, generally provides more stringent protection in the following areas—(1) employee training, (2) marketing with PHI, (3) sale of PHI, and (4) re-identification of PHI. These protections include:
As of September 1, 2012, Texas covered entities must provide and document specific privacy training to its employees. The training must account for the covered entity’s type of business and the applicable scope of each employee’s employment with the covered entity. This training must be given within 60 days of any new employee’s hire date, and then must be provided at least biannually thereafter.
HIPAA generally allows covered entities to use or disclose PHI to market virtually all types of healthcare products or services without first obtaining an individual’s authorization (with some limited restrictions). The Privacy Act, however, generally prohibits the use or disclosure of PHI for marketing purposes, unless the Texas covered entity has first obtained the consent or written authorization of the individual.
When parties exchange remuneration for the use or disclosure of PHI (i.e., the sale of PHI), HIPAA generally requires written authorization from the patient, which must disclose that indirect or direct remuneration may be involved as well as the nature of the remuneration. While the Privacy Act incorporates this disclosure requirement, it generally prohibits the sale of, or exchange of remuneration for, PHI, except in very limited circumstances and even if the covered entity has written authorization from the individual for other situations. While HIPAA permits de-identified information to be re-identified under specified guidelines, the Privacy Act prohibits re-identification of any kind without first obtaining the individual’s consent or authorization.
As you can see, the Privacy Act can complicate true compliance with the Privacy and Security Rules under HIPAA. It is imperative your policies and procedures satisfy these more stringent Texas protections.
On January 17, 2013, the U.S. Department of Health & Human Services (“HHS”) posted the final HIPAA omnibus rule to implement the extensive privacy, security, and enforcement changes adopted under HITECH. This final rule was effective on March 26, 2013, but covered entities and business associates had until September 23, 2013, to comply with the new requirements. The final omnibus rule includes changes to: (1) make business associates directly liable for compliance with certain privacy and security rule requirements; (2) strengthen limitations on the use or disclosure of PHI for marketing or fundraising purposes; (3) prohibit (or severely limit) the sale of PHI without individual authorization; (4) expand individual rights to receive electronic copies of their PHI; (5) enact final breach notification requirements when e-PHI is compromised; and (6) enhance the HIPAA enforcement rule and related monetary penalties.
1 Health Insurance Portability and Accountability Act of 1996, Pub. L. 104-191 (1996), codified at 42 U.S.C. § 1320d et seq.
2 Health Information Technology for Economic and Clinical Health Act, § 13001 et seq. of the American Reinvestment & Recovery Act of 2009, Pub. L. 111-5 (2009).
3 See, e.g., Texas Medical Records Privacy Act, Tex. Health & Safety Code Ann. § 181.001 et seq., more commonly know as “Texas HIPAA.”